When are you going to sue your
customers?

A lot of noise is made about open
source software (OSS) and intellectual property (IP) and the risk
inherent in large enterprises using OSS. The high tech headlines are
full of news of the SCO Group suit against IBM1,
large vendors like Microsoft offering unlimited indemnifications
against IP suits while claiming people will likely be sued over OSS2,
and the like.

The rhetoric follows the logic:

OSS developers may be trespassing
on all sorts of patents.

OSS developers obviously (sic)
don't care about property.

Customers using OSS therefore run
the risk of patent infringement suits.

Intellectual property is distinct from
the asset it protects, so lets establish a few definitions.
Intellectual property (IP) refers to a set of legal tools that one
uses to protect an asset. IP law typically covers the ground of
trade secret (how you legally protect an idea as a secret), patent
(how you publish an idea in a legally protected way so others cannot
build it), copyright (how you control the use of the “written”
representation), and trademark (protecting the way you identify the
asset). Companies develop assets that are packaged into products for
sale to customers. These assets may be real works of invention and
innovation, or merely represent some subjectively “better”
level of business execution, packaging, and service to the customer.
Not every idea, process, and asset a company owns or develops is
necessarily “property” in a legal sense.

Some vendors are very advanced in their
IP strategy. It is not simply the case where “more patents
faster” is a rule. Patents can be a little pricey when you add
up patent attorney fees and the defense of the patent over its life.
So one might want to choose how one is going to apply patent
protection to exactly which assets that make up a product for sale.
Indeed one might choose to aggressively publish some ideas to ensure
no one else patents in that space. In the end, it is a business
decision not a technical issue. The top ten list of patent award
winners was published for 2004 from the U.S. Patent and Trademark
Office (USPTO)3.
IBM tops the list again with more than 3000 patents. If you
guesstimate US$15,000 per patent for the application and legal fees,
this means they spent more than US$45,000,000 just obtaining the
patents. This is the same company that also recently “released”
500 patents for open source use4.
It's a business decision.

The lag between application and issue
of the patent in the U.S. is now on the order of 18 months to two
years. This means it is quite possible to ship a product and not
know for quite some time whether or not you are infringing the claims
of someone else's patents. If you're small, no one will probably pay
attention even if you are infringing. But if you're successful with
your product, you become visible and a potential target. The patent
holder may want their fair cut of the proceeds, or if the patent
holder is a competitor, they may want to simply prevent you from
“making” and “distributing” your wares.
Software products certainly fall into this window of risk with the
speed that concept to shipping product happens in the computing
industry.

The interesting idea that may force
patent reform isn't the fact that the software industry with its time
to market is in jeopardy, but that other industries start to feel
this pain. As the design-to-manufacturing time for large items like
automobiles shrinks within the window of lag time for patents, other
very large ticket items are going to begin to ship and have to deal
with the post distribution infringement problem.

Every day developers may be infringing
the claims of other people's patents. This has nothing to do with
open source development methods or licensing. No developer can
actually be aware of it. Developers read the news and trade
journals, and then go to work. There are seldom warnings in articles
about pending patents. Debate rages on whether or not developers
should ever attempt to understand the patent infringement risk for
the code they write. With patents written in legal language and
targeted as broadly as possible (semantic shotguns instead of rifles)
it would be almost impossible for a developer to track the patents
relevant to their work. And of course the lag problem still exists,
meaning even if the developer had the time and training to review
patents in their area of expertise, they cannot know whether or not
their work infringes someone's patent claims in any meaningful time
frame. And if it looks like a developer may have attempted to study
the problem, and perhaps misread or misinterpreted a patent's claims,
then they may be construed as having “willfully”
infringed a patent's claims by the court and that brings additional
financial damages.

So when Linus Torvalds suggests that
developers ignore patents5,
he is not some OSS mongering communist that believes intellectual
property has no value, but rather he's simply working with the
reality the system presents to him. Large software development
companies shipping proprietary closed source products also
tell their developers to not investigate the patent space for the
same reasons. It would be interesting for the large vendors to come
forward to discuss their practices for developers around patent
investigation, rather than slinging useless rhetoric.

A number of vendors want customers to
believe “intellectual property” is important, especially
things like patents. While most people have a schoolyard
understanding that plagiarism is “bad” which covers
copyright issues, patents are a different kettle of fish entirely
which brings us to the title of the essay. The question in the title
is not a rhetorical one. It is meant as a real question to the chief
executives of the major vendors to help customers best assess their
business risk and to best understand exactly what sort of
relationship they have with their suppliers.

Legal IP tools are important for
vendors and certainly relevant in vendor-to-vendor discussions. The
idea that customers care about patents, however, would seem
counter-intuitive. Consider the following: when you last bought an
automobile, did you pick the “Honda” over the “Toyota”
because the Honda had more patents in it, or more patents per ton of
vehicle, or maybe because Honda's intellectual property practices
were “better” some how? Of course not. You bought the
product that met your needs. It may well have even been the more
innovative product by your own subjective measure, but whether or not
the manufacturer chose any number of legal tools to protect the
innovation wasn't part of your buying consideration. How the
vendor's business process works is of no interest to the customer
beyond the actual customer-vendor interface so to speak. Whether the
vendor has a mature IP strategy, applying for patents, trademarks,
and copyrights appropriately, choosing to keep some ideas trade
secret protected, sharing selected IP with partners or competitors
through patent pools and cross licenses, or aggressively publishing
some ideas in the face of their competition is of little interest to
the customer. The customer only cares that the product serves their
needs and provides the value they paid for it.

Next scenario: you are happily driving
your Honda when you receive a letter from Toyota one day telling you
that you're infringing their patents6.
They give you the choice to (a.) cease driving your Honda, or (b.)
pay them a license to their patents. You can essentially “pay
twice” for the privilege of driving your car, and for some
small sum you can feel free of any concerns that you are infringing
Toyota's patent claims ever again. On this vehicle. Or for your
household. Or maybe it will be offered to you the customer as an
annual license calculated by the number of drivers in the house and
the number of Honda vehicles you own, pro-rated over certain uses,
unless the patent applies to certain other manufacturers as well.
What do you do? Do you even waste time calling your lawyer to figure
this one out? Or do you call the Honda dealership and tell them
quite simply to “fix this.” Of course this assumes you
don't also receive letters from General Motors for their
patents (frustrated that North Americans are buying foreign
vehicles), Daimler-Chrysler, and Hyundai, so you have the opportunity
to “license” your Honda vehicle from many companies and
pay for it numerous times.

The reality, however, is that Toyota is
not going to threaten to sue Honda's customers. They would like the
opportunity to switch those Honda customers to Toyota's products, not
upset them to the point that no Toyota dealership ever gets a chance
at that Honda customer again.

Toyota would have the infringement
discussion with Honda directly if it existed, indeed, it is their
responsibility as the patent holder to defend it appropriately.
Vendors sue vendors over intellectual property claims. Customers
have even been known to sue their vendors in specific situations when
the vendor fails to deliver on the promise in a contract. Oddly
enough vendors never sue customers in any sort of broadly applicable
way. There is a really simple rationale behind this. Once a vendor
sues a customer, they have essentially told that customer they never
want that customer's business again. That might even be appropriate
in a narrow situation where there exists some sort of explicit
dispute between exactly the two parties. If however the dispute is
over something like “patent infringement” that can easily
be applied broadly to many customers, then all the vendor's other
customers are put on notice that this vendor does not care about the
relationship and continued business. New potential customers can
see that this is a vendor that may attach law suits to the
relationship, and will quickly factor that into the risk analysis on
the potential purchase. The vendor's top salespeople will discover
their phone calls stop getting returned.

Intellectual property is important –
but between vendors. Cross licenses, patent pools, and simple
licenses exist and are business as usual. “Litigation is just
another means of discussion.”7

This of course leads to the discussion
of enterprise indemnifications and insurance. Open Source Risk
Management, Inc. has a detailed white paper covering ideas on risk
mitigation and insurance, but more focused on developers that modify
the source and vendors, rather than enterprises that simply use
products based on the OSS projects.8
The major vendors are coming forward with various sorts of
indemnifications.

The idea that as an enterprise (not a
vendor or developer) one might want to buy insurance against such
risk is interesting. One insures ones assets, not one's liabilities.
I insure my life and health as it relates to earning power for the
household. As my salary goes up over time, I might increase that
insurance. Likewise I insure my car, but as the value of the car
depreciates over time, I remove insurance from the vehicle as it
relates to replacement of the devalued “old clunker.” I
don't insure my children.

So what is the real risk of a vendor
suing an enterprise customer? How should one consider the risk of
such a suit against the depreciating capital cost of the computer
systems investment made several years ago? Does the vendor rhetoric
around indemnification help or hinder the discussion? This is one of
those situations where Robert Lefkowitz may be right in his statement
that it's the accountants we need to fear in the OSS community, and
not the lawyers.9

In the Fall 2004, Microsoft made a very
public promise of indemnification to Microsoft customers for patent
infringement cases against their products10.
This follows in the wake of the Fall 2003 Novell11
and HP12
indemnifications against various IP infringement suits against Linux
if you purchase the systems from them. The Novell and HP statements
were in reaction to the SCO Group suit against IBM. When you think
about it, the Microsoft promise of indemnification to customers is a
legal statement of business reality. Would any vendor in the
situation where a customer is sued by another company for
infringement for using the vendor's products not name themselves to
the suit as a co-defendant? Would the product vendor trust that a
customer (and likely an angry one at that) was the first line of
defense against building precedent in a court for the infringement?
While in some cases a customer may even have more money than the
vendor as a legal target, one can bet that the mainstream vendors
(HP, Novell, Microsoft, etc.) will be more than interested in running
their own defense case. They might be subtle enough to approach the
customer on the receiving end of the suit to request the customer
goes it alone for other considerations, but even then, their image as
customer defender is probably more valuable. They would likely do
whatever it took to be named co-defendant in a real hurry. They want
to be primary defense for their own patents. The press value is high
to be seen as the defender of customers. They value that particular
relationship and probably want to continue to sell to that customer.

It's not that these corporate
indemnification promises aren't good – but they are redundant
to any vendor worth its customers. You can bet the corporate
accountants and lawyers did the analysis against the value of the
company to its shareholders before making “open ended”
promises.

But what about SCO Group? Isn't this a
case where a vendor is suing customers? I think logically they have
declared themselves. Santa Cruz Operation was a company with a
product it sold to customers. They are no more. Through all the
business acquisitions and deals they have been acquired by the Canopy
Group and renamed to the SCO Group. The SCO Group appears to be a
litigious engine that is designed to sue another vendor for damages,
not unlike previous legal forays of some Canopy Group companies.13
SCO Group appears not to be in business to sell to customers, indeed
they can “sue a customer” to appear to put pressure on
the primary lawsuit. The Daimler-Chrysler and Autozone suits hit the
news in March 2004.14
So far the tactic has failed in relation to the primary suit. This
is not a business with customers, but a legal play to siphon money
out of the system.

So as OSS continues to deploy and grow
in enterprises, those companies will need to consider the source of
the technology they use, and their vendor relationships, which is no
different than any other technology shift in the past decades. As
for OSS developers and vendors themselves, David McGowan may have
said it best:

“If the F/OSS community wants to be in commercial space, community members
will have to learn to deal calmly with IP litigation. The F/OSS production
model will work where it makes sense, and it will not work where it doesn’t.
It’s really just that simple.
Particular claims in individual suits—even one against a
flagship program such as the GNU/Linux OS—will not determine the fate of the community.
Such cases present factual issues that will get resolved one way or another; they do not
represent a crisis
for F/OSS production as a whole. Norm entrepreneurial rhetoric that
plays off such cases should be treated as entertainment. Enjoy it if you like it, take
inspiration from it if you
must, but don’t confuse it with the way things actually get
done.”15

6 My
apologies to Toyota. Someone needed to be the “bad guy”
in the example. Our household has been and remains happy Toyota and
Honda customers. The example also holds true regardless of whether
one is a simple household or a company with a fleet of vehicles.